This process is supported by monitoring features such as facial pattern, frequency of eye blinking, fluctuation of pupil size and swipe dynamics. Continuous authentication seems to be the new buzzword in a world where cyberrisks are soaring and passwords are more burdensome than that they contribute to a secure wellbeing.
It is clear that passwords are no match against modern forms of cybercrime such as replay attacks, session hijacking attacks and man-in-the-browser attacks. At the same time, people are becoming more mobile and the number of applications and devices they are using is ever increasing. All of these factors are making the need for password alternatives more and more urgent, especially in the case of high-risk transactions.
Already since decades a myriad of authentication methods has been presented as the final password killer, ranging from all sorts of hardware devices to a variety of biometric methods. Up to now, none of these has been proved capable of permanently banning the password. The reason for this has everything to do with finding the right balance between user friendliness, cost and security. Passwords may be less secure, but they are convenient and cheap to implement. Many people are lazy. They don’t want to be bothered too much for something they consider as a side-issue such as authenticating themselves. At first, biometrics seemed to be the egg of Columbus. This concept involves body and behavioural characteristics, which are unique per person, in the authentication process. Due to the high cost and complexity, biometric authentication initially failed to succeed.
Nowadays, however, biometrics are getting cost efficient and technically more feasible. More and more devices are provided with one or more biometric authentication mechanisms. This will be the pacemaker to continuous authentication. By combining multiple body and behavioural characteristics and monitoring these continuously, the degree of reliability increases and biometrics are thus more useful. Moreover, contextual factors, such as GPS location, IP address, time and device type, can be involved with the authentication process, making the whole concept even more reliable, as has been implemented by Innopay within several customer environments.
Continuous authentication (also called active or seamless authentication) can be explained as constantly verifying the identity of the user, for example by monitoring a combination of facial pattern, frequency of eye blinking, fluctuation of pupil size; and keystroke or swipe dynamics. This is in sharp contrast with conventional authentication methods, in which the user authenticates him or herself only during the initial login process. This introduces significant risks, since sessions and identities can be taken over with a variety of cyber attacks such as the previously mentioned ones. Moreover, a mobile device can be grabbed out of one’s hands while performing a riskful transaction.
Of course, a number of challenges remain. Just those biometric methods that can be used for continuous authentication are less accurate. More precise methods, such as scanning the retina or iris, are less useful, as these require the user to look at the scanning mechanism from time to time. Also, a user may switch from working place or device. In a number of use cases, continuous authentication may need to be combined with adaptive authentication (also called step-up authentication or risk-based authentication), in which the user is presented with a stronger authentication method if the transaction will be more riskful. This will present more challenges from the viewpoint of implementation. Nevertheless, continuous authentication seems promising, especially for environments with a high risk profile such as financial organisations.
Is it right or wrong?
A big challenge of biometric authentication of any kind is the degree of reliability. Firstly, there are significant differences in reliability between the various biometric methods, but there is also a problem that all biometric methods have in common. This problem is known as finding the right balance between the false reject rate and false accept rate. The measurement or scanning of body characteristics must be accurate enough to exclude an imposter, but cannot be too accurate, since it may prevent the legitimate user from being authenticated. The physical characteristics of someone can vary, because of fatigue, illness, dirtiness; or aging. Also, the way by which the biometric feature is scanned will vary due to sensor noise and due to the fact that the angle or position of the body characteristic will vary during the scanning process.
Man-in-the-browser
About Rob van der Staaij
Dr. Rob van der Staaij CISSP, CISA, CISM, CRISC, CEH, CPT is principal at Innopay and lecturer Cybercrime & Cybersecurity at the University of Groningen. His main fields of expertise are Cybersecurity and Identity & Access Management.
About Innopay
Innopay is an independent management consultancy firm specialised in digital strategy and transformation. For businesses it is a challenge to stay relevant in the increasing digital world. We help clients by providing strategies and solutions in the field of digital identity, online payments, ecommerce, digital innovation and e-business. Read more articles on the websites blog section.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now